The Downforce — the debut novel is out now
SaaS is Dead. Long Live SaaS.
Frameworks for Security Leaders

SaaS is Dead. Long Live SaaS.

Assaf Keren|10 min read

The most common conversation I have with senior security leaders right now starts the same way.

A vendor pitch deck arrives in their inbox. The deck has the same architecture diagram every other vendor in the category has. The same feature checklist. The same compliance certifications. The same promises about AI, scalability, and "enterprise-grade" everything. The CISO reads it, recognizes that it's functionally interchangeable with the three other decks in their inbox this week, and asks the question that nobody had to ask five years ago.

How do I actually tell these vendors apart?

The honest answer is: in the old SaaS world, you couldn't. Vendors competed on features that converged within two product cycles, on integrations that became table stakes, on UX that everyone copied. The moat was supposed to be in the software. Better functionality, deeper integrations, more network effects.

That moat is dead. AI is the gravedigger.

The Old Moat

For twenty years, SaaS companies have been building on the assumption that software functionality is differentiating. Build a better workflow engine, a smarter analytics layer, a more elegant API, and you win. Ship faster than the competition, integrate deeper, and you keep the customer.

That theory had a real shelf life. Salesforce built it. Workday built it. ServiceNow built it. The category leaders of the SaaS era won because they built better software faster than everyone else, then locked customers in with switching costs and integration depth.

But the theory required one specific condition: that building functionality was hard. It was the bottleneck. Companies could differentiate because writing software, designing workflows, and shipping features took time, talent, and capital that competitors couldn't easily match.

AI has collapsed that bottleneck.

The cost of building a feature parity equivalent of a SaaS product has dropped by an order of magnitude in the last eighteen months. Code generation, automated testing, AI-assisted product design, and AI-driven customer support have all compressed the time and cost of competing. A new entrant can credibly clone the functional surface of an established SaaS product in months, not years. The moat that took a decade to build is now bypassable in a quarter.

This isn't a hypothetical future. It's already happening. Every SaaS leadership team I talk to is watching the AI-enabled competitor problem come at them faster than they expected. The product roadmap they were defending is now the product roadmap a well-funded startup is shipping with AI doing 70% of the work.

If software functionality is no longer the moat, then what is?

What's Left

Three things remain when feature parity becomes cheap and fast.

Context is the accumulated, vendor-specific knowledge of how customers actually use a product. Not the surface features, but the deep patterns of how decisions get made, how workflows actually flow, how exceptions get handled, how teams collaborate around the tool. Context is durable because it lives in customer behavior and customer relationships, not in code.

Data is the customer's own data, properly handled. Not pooled, not exposed, not training shared models without consent. Data is durable because it belongs to the customer, and the vendor's job is to handle it in a way that the customer trusts.

Trust is the operational substrate beneath both. Without trust, customers won't share their context with you. Without trust, they won't give you access to their data. Trust is what makes context and data possible as moats.

Trust is the moat that survives the AI commoditization wave. Software functionality is commoditizing fast. Trust isn't, because trust can't be cloned by a code generator. Trust is built through operational excellence, sustained over years, evidenced through behavior under stress.

That's the survivable competitive advantage. Now the harder question.

Trust Requires Brilliance in the Basics

Here's where most of the conversations about "trust as a moat" go wrong.

Vendors hear "trust is the new moat" and start building trust features. They commission a Chief Trust Officer. They publish a trust portal. They get certifications. They ship "AI governance" features. They write whitepapers about responsible data handling. They put a confidence-inspiring stock photo of a vault on their security page.

None of that is trust. That's marketing about trust. The two are different.

Real trust is built on the foundation of operational excellence in the basics. The unglamorous, undifferentiated, table-stakes work that most security teams underinvest in because it doesn't generate roadmap headlines. Patch management that actually happens. Identity hygiene that actually holds. Access reviews that actually surface stale permissions. Logging that actually captures what happened. Incident response that actually works when tested. Change management that actually prevents the changes that cause outages.

These are not exciting topics. They are not what gets you on stage at RSA. They are not what the analyst report covers. They are what determines whether your customers' data is actually safe, whether your platform actually runs reliably, whether your AI features actually behave as advertised, whether your audit findings actually hold up under scrutiny.

In the old SaaS world, you could be sloppy on the basics if you were brilliant on the features. Customers couldn't see your basics. They could only see your software. So the security and operations work was treated as cost center overhead, run cheaply, hidden behind certifications that papered over the gaps.

In the new SaaS world, customers can see your basics. AI gives them tools to evaluate vendor security postures in ways that didn't exist before. Vendor risk management has moved from "review their SOC 2" to "give me real-time evidence of your controls." Customer security teams are demanding telemetry, attestation, transparency, and verifiable assurance. The basics are now visible, and vendors who run sloppy ones lose.

The vendors who win this next wave are the ones who treat the basics as the product. Not as overhead, not as a compliance line item, but as the actual thing customers are buying. Trust as a moat requires being brilliant at the basics, every day, in ways that customers can see and verify.

Security by Obscurity is Over

The old SaaS trust model was built on a specific compact: customers couldn't see what vendors actually did, but they trusted the vendor based on certifications, reputation, and policy statements.

That model worked when customers had no alternative. The five major SaaS categories had three or four dominant vendors each, all of whom operated under the same opacity model. Customers chose between vendors based on features and price, took the trust assertions on faith, and dealt with the consequences when something went wrong.

That model is dead. Two forces killed it.

The first is AI. As AI features get embedded in SaaS products, customers can no longer accept generic "we don't share your data" claims. They need to know exactly what their data does, where it goes, what models touch it, whether prompts get logged, whether outputs get cached, whether customer data improves shared models. The opacity model can't answer those questions. Vendors who refuse to answer them lose to vendors who can.

The second is the breach reality. The accumulating record of vendor security failures has trained customer security teams to disbelieve vendor assertions by default. Every CISO who's sat through an incident response where a vendor's "controls" turned out to be paperwork has internalized the lesson: don't trust, verify. The vendor risk management function has evolved from a procurement checkbox to a real operational discipline.

The combination means customers are demanding transparency that wasn't possible to demand before. Real-time evidence of controls. Detailed audit findings, not just attestation summaries. Access logs that prove access policies. Model usage telemetry. Data flow diagrams that are accurate, not aspirational. Bug bounty engagement that's genuine. Penetration test results that show what was actually tested.

Vendors who provide this transparency win. Vendors who hide behind the old opacity model lose. The reason is simple: customers can now meaningfully evaluate vendor trust postures, and they can compare them across vendors in ways they couldn't five years ago.

Security by obscurity worked when there was no alternative. Now there is. Vendors who don't adapt will lose to vendors who do.

Customer Choice as the Proof

Real trust shows up as customer choice.

The vendor who claims to handle data well, but doesn't let customers control where data lives, doesn't let them veto model training, doesn't let them control AI feature exposure, doesn't let them bring their own encryption keys, doesn't let them inspect their actual security posture in real time, is selling trust theater. The vendor who builds these choices into the product as first-class features is selling trust as a real product feature.

The list of mechanisms is concrete. Customer-controlled data residency. Customer-managed encryption keys for sensitive data. Customer veto on AI training using their data. Customer-controlled retention and deletion. Customer-accessible audit logs that show vendor access. Customer-verifiable claims about controls (not just "we say we do this" but "here's how you can confirm we do this"). Customer-controlled exposure to AI features at the field, record, or dataset level.

None of this is revolutionary technically. The architectures to support this exist. The barrier was that vendors didn't want to give up the operational simplicity and economies of scale of pure multi-tenant data pooling. The cost of customer choice was higher engineering complexity, higher operational overhead, higher per-customer support cost.

Those costs are real, but they're now necessary costs of doing business in the new SaaS world. Customers who care about trust will pay a premium for vendors who offer real choice. Vendors who don't offer choice will either pivot or lose enterprise revenue.

The strongest signal that a SaaS vendor is serious about trust is the depth and seriousness of the choices they offer customers. Everything else is marketing.

What This Means for Senior Security Leaders

Two audiences need to hear this differently.

If you're a CISO at a SaaS vendor, this is the work. Stop trying to be clever with trust features that are marketing artifacts. Stop pretending that policy theater is the same as operational excellence. Start being relentlessly competent at the basics, visibly so, in ways customers can see and verify. Build customer choice into the product as a first-class feature. Make transparency a default, not a request. The old playbook of "we have certifications, trust us" is finished. The new playbook is "here's the evidence, here's the choice, verify whatever you want."

If you're a CISO at a SaaS customer, this is your leverage. Stop accepting vendor opacity. Stop checking the certification box and moving on. Demand evidence, not attestation. Demand choice, not policy. Walk away from vendors who can't provide either. The market is rewarding the vendors who get this, and your vendor evaluation criteria should reflect that. Your job is not just to evaluate vendor risk. Your job is to drive the SaaS market toward the operating model your business actually needs.

What Survives

SaaS isn't dying. The SaaS that thought software was the moat is dying. That model assumed customers would tolerate opacity, pooled multi-tenant data, vendor-controlled trust narratives, and feature-based differentiation. AI commoditized the features, and customers stopped tolerating the rest.

What survives is the SaaS built on a different foundation. Trust as a moat. Brilliance in the basics, evidenced not claimed. Customer choice as the proof. Transparency as the default. Operational excellence as the product.

Software was never really the moat. Customers were tolerating the lack of choice because they had no alternative. Now they do. The vendors who internalize this and rebuild around trust as a real, operational, evidenced feature will win the next decade of SaaS. The vendors who keep selling the old moat will lose.

Long live SaaS. Just not the version we've been living with.

From the book

This post draws on the frameworks in Lessons from the Frontlines — 25+ years of security leadership, distilled.

Explore Lessons from the Frontlines

Get new posts in your inbox

Frameworks and frontline lessons for security leaders. No spam, unsubscribe anytime.